[00:00.960 --> 00:10.320]  Okay, hi everyone. First, I need to clarify things about my slides. They're not
[00:11.400 --> 00:17.860]  built to be static, so a lot of things wouldn't make much sense.
[00:18.880 --> 00:26.940]  So this talk, it's one of my... it's my first talk ever, and it's been... I've been traveling
[00:26.940 --> 00:35.680]  for the last two years, giving this talk in many places. The last ones were in South Africa,
[00:35.680 --> 00:45.520]  besides Cape Town, and in... let me adjust my cell phone a little bit here. Okay.
[00:46.040 --> 00:55.220]  And the last one was in the United States, in this conference checkpoint.
[00:56.940 --> 01:05.880]  In New Orleans, just before COVID started. So, can you move the next slide, please?
[01:08.620 --> 01:14.020]  So, a little quick note. Just before the
[01:16.480 --> 01:22.280]  pandemic started, we were having a lot of demonstrations in my country.
[01:22.280 --> 01:30.940]  We had five months of demonstrations, just like... pretty similar to what's happening now in the U.S.
[01:33.200 --> 01:38.900]  So, what happened is that these four identities that I'm showing up here,
[01:38.900 --> 01:43.200]  Amnesty International, they developed reports about the situation, and they
[01:43.720 --> 01:49.820]  confirmed that human rights violations were happening in Chile. Next slide, please.
[01:54.460 --> 02:02.140]  So, I was pretty active during that time. Here you have some data.
[02:03.720 --> 02:13.040]  So, 35 people got killed by the police forces. 25 people lost their lives because of rubber bullets.
[02:13.340 --> 02:21.160]  And two people lost their sight completely. Next one, please.
[02:23.580 --> 02:26.900]  I'm trying to go as fast as I can because it's a long one.
[02:27.160 --> 02:32.280]  So, as I told you before, I was pretty active at the time. We were rescuing
[02:32.820 --> 02:40.040]  wounded people from the, what we call it, the front lines. So, just a couple of days before
[02:40.040 --> 02:48.380]  the pandemic started, we rescued one guy that had brain trauma because of a tear gas canister
[02:49.100 --> 02:56.320]  launched by the police forces. And he died the next day. So, it was pretty stressful for us.
[02:56.320 --> 03:06.000]  So, in a way, the pandemic kind of released that stress. The one in the right side with the big
[03:06.000 --> 03:24.060]  shield is a shield built by a TV. So, she was helping us with the most critical cases.
[03:24.160 --> 03:35.180]  Next one, please. So, after that quick brief, I'm going to present myself. I'm a
[03:35.180 --> 03:41.640]  computer science engineer. It's a career that only exists in Chile, that it's six
[03:41.640 --> 03:47.880]  years long. But I really loved it. So, it took me nine years to get out of it.
[03:49.060 --> 03:54.460]  And like I said before, this is one of my, this is my first talk ever related to
[03:55.000 --> 04:01.020]  cybersecurity. And it got picked up by SkyTalks two years ago. And it was like the beginning
[04:01.020 --> 04:09.900]  of everything for me regarding DEF CON and cybersecurity. And I do a lot of classes as
[04:10.040 --> 04:18.540]  a professor in different type of instances. One is a free university that I teach CTF
[04:19.300 --> 04:29.920]  workshops. And with most of these guys, we went last year to DEF CON to present a workshop. I
[04:29.920 --> 04:42.100]  also work with a lot of projects related to health. So, recently, we want finance to get
[04:42.100 --> 04:49.100]  this, to do this project related to COVID-19 in my country. And right now, I'm learning
[04:49.100 --> 04:57.900]  ASINT. So, tomorrow, we're gonna participate in the Trace Labs CTF, which is a very good
[04:58.560 --> 05:08.980]  exercise to improve your Googling skills. And I have a small company, really small. So,
[05:08.980 --> 05:16.640]  I'm the founder, the CEO, and also the janitor. The things that I do most, I mean,
[05:16.640 --> 05:21.400]  all the time are workshops. So, next slide, please.
[05:23.940 --> 05:30.480]  So, last year, I went to DEF CON. So, I had the chance to meet Jason, Jason Street.
[05:30.980 --> 05:37.880]  And then, we went to DEF CON, DEF CON 27. That was an amazing experience.
[05:40.200 --> 05:45.660]  Yep. Next one. So, that's all about me.
[05:47.220 --> 05:54.460]  So, for you to understand this talk, I need to give you a little bit of context. So,
[05:54.460 --> 06:04.740]  in my country, we have a health system that is 80% public and 20% private. So, the public part
[06:05.620 --> 06:12.700]  is pretty much free. It's very different than the US. So, the public sector, we have around,
[06:12.700 --> 06:20.380]  now it's 15 million patients. So, in the top of the graph, you can see what's called MINSAL,
[06:20.380 --> 06:27.000]  which is basically the health department. And below that, you have 29, what they're called
[06:27.000 --> 06:37.260]  services. They're like institutions that they try to coordinate the different hospitals and
[06:38.080 --> 06:45.380]  institutions. So, I was working in one of those services, which is actually the biggest.
[06:45.700 --> 06:55.340]  We have around 2.5 million patients. Okay. Next slide. Slide, please.
[06:57.660 --> 07:06.440]  So, how bad, I have trouble pronouncing the word MACAB. So, how bad is this talk?
[07:06.440 --> 07:12.300]  When I was giving it, about to give it in Skype talks, I was receiving threats
[07:13.100 --> 07:22.660]  by some people that I knew. Some people involved in the police units were sending them messages
[07:22.660 --> 07:32.040]  that if I did the talk, they will wait for me at the airport, they will sue me. And
[07:32.040 --> 07:39.280]  I, at the time, I also received an email from somebody that they were ordering to shut down
[07:39.280 --> 07:47.360]  all the servers from this, the related to health institutions, because they were afraid that I
[07:47.360 --> 07:55.180]  will give information that will allow DEF CON attendees to hack all our systems, which is really
[07:55.180 --> 08:05.180]  stupid. So, I asked if, they also told me that they were sending some people to watch my talk
[08:05.180 --> 08:11.480]  and to record it. So, I asked if there were some government officials in the room and they actually
[08:11.480 --> 08:20.160]  raised their hand. And months later, I received a recording from my talk that was surprising,
[08:20.160 --> 08:29.020]  because Skype talks are pretty strict, you cannot take your cell phone away, it's not 100% safe.
[08:29.100 --> 08:35.760]  Luckily, nothing happened after that. Well, not nothing, but you can say that. I don't want to
[08:35.760 --> 08:49.550]  be, I don't want to give you spoilers. So, next one, please. So, I prepared different, some stories
[08:49.550 --> 08:57.330]  that will help you understand the context of what I have to face at work pretty much every day.
[08:57.730 --> 09:05.470]  So, I, the first story is called a very secure web service and the idea of this slide is just
[09:05.470 --> 09:13.610]  part by part and at the end you will see the image. So, the health department, they asked
[09:13.610 --> 09:28.700]  to every institution for the patients that attended the public sector around 15.
[09:29.300 --> 09:36.440]  So, they were, they gave me this assignment and I just find it weird that they will give you
[09:37.000 --> 09:44.620]  a web service, but you have to deploy your own web, their web service, which is very weird in
[09:44.620 --> 09:52.820]  my opinion. I worked as a developer for five years before getting into this job that I had
[09:52.820 --> 09:59.680]  at this place and I never seen that somebody sent you a binary of a web service for you to deploy
[09:59.680 --> 10:06.820]  and use it. And then you will upload the files to an FTP server, which is, again, really bad.
[10:07.380 --> 10:09.040]  Next slide, please.
[10:10.920 --> 10:18.840]  So, then I thought maybe I should check the security of it, right, the mindset of a hacker.
[10:18.980 --> 10:27.780]  And, you know, at first I was like checking out the 3DS algorithm, trying to find something
[10:28.540 --> 10:36.060]  that I could use, but at the end it was easier to decompile it and they have no obfuscation at all.
[10:36.060 --> 10:45.920]  It took me literally three minutes to decompile it and I found the key of the web service,
[10:45.920 --> 10:58.160]  so now I could download all these reports from the server and check all the data from all the
[10:58.160 --> 11:06.360]  pages. So, at least the key they're using was a good one. Next one, please.
[11:19.600 --> 11:22.340]  Now, okay. So, I reported...
[11:52.340 --> 12:02.720]  So, he demanded me, you know, a paper.
[12:10.600 --> 12:25.650]  And the answer was nothing. I never got any reply from him after that.
[12:27.130 --> 12:29.630]  So, next one.
[12:31.870 --> 12:39.750]  So, the second story is what we call it a very secure electronic health record.
[12:40.770 --> 12:51.770]  And this software had over a million pages of data, anything that you can imagine, exams,
[12:51.770 --> 13:01.510]  prescriptions. And they looked it up on the internet using Oracle, very expensive databases
[13:01.510 --> 13:08.650]  and the database was only 40 gigs. And there are not many transactions, so that's difficult
[13:08.650 --> 13:18.530]  in the public sector to buy expensive software. So, they have 18 developers. This is the part
[13:18.530 --> 13:25.530]  where the facts explain against me.
[13:25.550 --> 13:38.190]  So, CBS had 800 word files. Next one, please.
[13:47.300 --> 13:51.280]  Hello. Okay.
[13:51.280 --> 14:01.700]  So, what happened one day is that they were audited of this work. And I was invited,
[14:01.700 --> 14:10.760]  just as somebody that was a part of the project. And at some point, they asked this developer,
[14:10.760 --> 14:16.780]  so the project manager, about the security of this software. And he said,
[14:16.780 --> 14:25.140]  security, because they had implemented a five-digit password. And I couldn't, you know,
[14:25.140 --> 14:34.400]  I couldn't not raise my hand and ask them, are you serious? I mean, five digits? That
[14:34.400 --> 14:43.300]  almost got me fired, because I said I couldn't attack or do fairly fire to my own colleagues,
[14:43.300 --> 14:49.740]  even though they were not really my colleagues. And I have to apologize. I have to apologize,
[14:49.740 --> 14:58.860]  because even though they were stupid, I shouldn't have said that at this point.
[14:59.180 --> 15:10.140]  Next, please. So, at that point, not really understanding, I was thinking it was like
[15:13.480 --> 15:20.800]  something... and they attacked me for a couple of weeks. They were asking, some people were asking
[15:20.800 --> 15:27.340]  for me to be fired, you know, directly. I cannot work here anymore. So, I was lucky,
[15:27.340 --> 15:34.680]  because my boss, the director of the institution, supported me all the time. Next slide.
[15:40.740 --> 16:00.640]  So, one day, I went to work. I couldn't get into Gmail. We were using Gmail. So, I couldn't
[16:00.640 --> 16:10.520]  Google it. But if you could work, Twitter, you could get into an email, and all that.
[16:13.840 --> 16:22.700]  So, I mean, I was the only one from home. And how could I think about Google? I mean,
[16:22.700 --> 16:28.300]  they hired me to do something that I didn't know how to do it. So, I had to Google a lot.
[16:28.300 --> 16:35.780]  Basically, planning a data server, a big one in a hospital.
[16:41.740 --> 16:48.720]  So, I was very critical. I couldn't understand how something like this could happen in such a
[16:48.720 --> 16:55.960]  big institution. So, I did research on the IT manager and the director of the institution
[16:55.960 --> 17:16.320]  to know what happened. And the IT gave me a paper. So, that's how I learned so much.
[17:16.720 --> 17:24.280]  It said most that they blocked every Google service. Because through Google,
[17:24.280 --> 17:33.540]  you could get into forbidden sites, like porn sites or gaming sites. So, they are out of pretty
[17:34.780 --> 17:45.480]  bandwidth, or they set out a limit. I think I can remember it was like 2000 megabytes per IP.
[17:46.320 --> 17:54.460]  So, that's why every... which was mind-blowing. Next one, please.
[17:59.240 --> 18:07.760]  So, time, which reflects my reactions at the time. Next one.
[18:15.310 --> 18:29.280]  Start changing this part. So, how do you get a little bit of the context of what the work was
[18:29.280 --> 18:41.800]  about? Probably, I'm going to write not a book, but a blog. I have 50 of those.
[18:42.500 --> 18:59.140]  So, go to this part of this talk. And how everything started. Next slide, please.
[19:02.420 --> 19:10.200]  So, imagine that you're working, this is your new job, and you've been there for 10 months.
[19:10.360 --> 19:20.680]  And they ask you to find some IPs and add some bridges. But they didn't know which one I was
[19:20.680 --> 19:30.920]  looking for. And then they said, let me see if I could increase the range. So, I ended up finding
[19:31.460 --> 19:48.280]  50,000 devices. And this is a part that you could really understand the transitions.
[19:49.840 --> 19:56.560]  There are now virtualization of the network. Not at all. So, you could see all the devices
[19:57.390 --> 20:26.540]  from the northern part of the country. So, I couldn't read why that was. I thought I had a
[20:26.540 --> 20:42.940]  list. Next slide, please. So, I started to check all those devices. And I was finding more and
[20:42.940 --> 20:54.560]  more. I mean, there are just so many that even the software that they give you does not respond
[20:54.560 --> 21:00.760]  properly because there are so many devices. They don't just take a long time to load on the
[21:00.760 --> 21:10.840]  screen. So, I found a lot of folders with public privileges. And some with public
[21:11.800 --> 21:12.920]  privileges. And even the
[21:14.820 --> 21:26.920]  they have all these hospital related files, architecture files. So, then I discovered
[21:26.920 --> 21:32.830]  they have public writing privileges. So, anyone could have deleted the server.
[21:33.550 --> 21:43.930]  And the things that I could see, I think the last part is not on the slide, but
[21:45.350 --> 21:47.710]  I could access a lot of
[21:51.590 --> 22:22.160]  things. Next one, please. So, after that, a couple of months went by.
[22:22.920 --> 22:33.520]  Trying to understand the problem, like, how this is possible, right? So, what I discovered is that
[22:33.520 --> 22:44.640]  the, you know, like, they didn't know how to share. So, imagine sharing, say, a 500 megabytes
[22:44.640 --> 22:51.240]  file. It will just share a folder, put it on the shared folder and send the address
[22:51.740 --> 23:13.320]  to another person without rechecking. Next one. It's not moving.
[23:16.900 --> 23:26.740]  So, my boss at the time told me, do you need to get about all your files and send email
[23:26.740 --> 24:02.190]  to them? So, can you hear me now? Okay. So, let's continue with the presentation.
[24:02.780 --> 24:12.330]  So, like I was saying, I sent this email report with the IP addresses, the folders,
[24:12.330 --> 24:21.590]  and the files that you could retrieve from the shared folders. So, the worst one is that you
[24:21.590 --> 24:32.770]  could find information of HIV patients, information that is protected by a special law
[24:32.770 --> 24:40.650]  in Chile that it's implemented for that information to be anonymous. Otherwise,
[24:40.650 --> 24:49.530]  you might be, you might suffer discrimination, looking for a job, et cetera. So, that was the
[24:49.530 --> 25:10.600]  worst part of it. Next one, next slide, please. And you know what? I didn't receive any answer
[25:10.600 --> 25:21.560]  directly to these emails. But then my boss sent me one of the emails she received as an answer.
[25:21.560 --> 25:30.220]  One of the things that I was more upset about, it was just that I didn't exist for them because I
[25:30.220 --> 25:39.880]  was like one month working, for a month working there. So, not even a reply directly to my email,
[25:39.880 --> 25:48.460]  not even a, let's say, congratulations for helping us or heads up for, I don't know,
[25:48.460 --> 25:57.080]  trying to help the institution. And then this guy, the IT support manager, was also the CSO,
[25:57.080 --> 26:08.840]  which is very weird. But they were chosen those like, let's say, roles, just if you've completed
[26:10.580 --> 26:22.180]  like an online course of ISO 2000, 2007, 2001. That was the only requisite to be part of the
[26:23.340 --> 26:33.360]  CSO, let's say, role. So, this guy sent an email saying that it was a big problem, but
[26:33.360 --> 26:40.660]  none of those IP addresses were from our institution. But the things that I
[26:41.960 --> 26:49.300]  didn't even think about it, you know, I didn't plan myself to find our IPs. So, after that,
[26:49.300 --> 26:57.740]  I sent another email with all the IPs that belong to us. Next slide, please.
[26:58.620 --> 27:09.380]  So, they didn't check anything, right? They just like tried to save their assets.
[27:11.120 --> 27:19.610]  But they didn't know that I had many, many IP addresses. So, next one.
[27:22.820 --> 27:29.820]  So, on the third email, I only included IP addresses from our institution
[27:29.820 --> 27:42.030]  and from all of us. They belong to what is called a health network.
[27:43.270 --> 27:54.750]  So, we are responsible for what they do in terms of use of information. So, I sent them,
[27:54.750 --> 28:02.990]  I cannot read it from my cell phone, but they were the most important hospitals in the country.
[28:02.990 --> 28:10.930]  One of the hospitals is called Sotero de Rio. He has over 3 million patients.
[28:11.250 --> 28:18.870]  And they had a server with everything that you can imagine. They had passwords, servers,
[28:18.870 --> 28:29.620]  webcam, I mean, security cameras. They had backups of many machines, x-rays,
[28:29.620 --> 28:33.200]  whatever you can imagine. I don't even remember now,
[28:33.200 --> 28:39.540]  but it was so much information that I was not able to process all. Next one.
[28:43.090 --> 28:53.130]  So, the answer for 10 months was nothing at all. Next one, please.
[28:56.650 --> 29:09.410]  So, one of the classes that I teach now is one where I was a student.
[29:11.150 --> 29:18.870]  And while I was a student, my sound is not... I don't know if you can hear me well, but
[29:20.150 --> 29:22.630]  on my end, I'm getting a lot of noise.
[29:24.090 --> 29:32.310]  Well, I had this class with one of the IT managers of the health department.
[29:32.990 --> 29:40.810]  And we were both students. She was quite older than me, right? And during the coffee break,
[29:40.810 --> 29:48.270]  I told her that I was the one who sent those emails that I never got a reply back.
[29:48.270 --> 29:54.470]  And she said, we're fixing it. You know, like, cutting me off, like, giving me the hand.
[29:54.470 --> 29:59.350]  You know when somebody tells you, like, stop? Like, we're fixing it.
[30:01.490 --> 30:07.410]  And also, she said, I know. But then... Next one, please.
[30:10.370 --> 30:16.510]  She ignored me for the rest of the classes, like, for two weeks.
[30:23.650 --> 30:31.710]  She thought I was some crazy guy telling, like, things that she didn't know about.
[30:32.730 --> 30:42.490]  Okay, next one, please. So, after 10 months, no answer, no changes. I could still check
[30:42.490 --> 30:49.650]  all the IP addresses. I was running scanners, like, two times per week, two times per week,
[30:49.650 --> 30:55.130]  and everything was the same. And not even a thank you, you know, we're all hackers,
[30:55.130 --> 31:02.790]  we're all sensitive. So, I was very sad. Next one, please.
[31:05.330 --> 31:11.370]  So, how do you fix something that nobody cares about?
[31:12.750 --> 31:19.650]  So, I was, I contacted one of these journalist groups that are very,
[31:20.170 --> 31:26.290]  they're very important in Chile. They were part of the Panama Papers investigations. They
[31:26.290 --> 31:35.050]  discovered a lot of politicians from Chile on those, on those leaks. And I sent them the
[31:35.050 --> 31:41.350]  information, and just right away, they were like, we can't believe that this is true. We need,
[31:42.430 --> 31:51.830]  next, next slide, please. So, they wanted me to show them all this information from my computer
[31:52.490 --> 31:58.810]  in order for them to be sure that I was, that I was correct, I mean, that I didn't have, like, a
[31:58.810 --> 32:08.970]  special connection or whatever. So, I asked a journalist to sit next to me and to check all
[32:08.970 --> 32:14.510]  these folders. It was very, like, it was very scary for me. I was only thinking that I'm going
[32:14.510 --> 32:21.150]  to get caught and, you know, be fired or whatever. And after a while, when they processed all this
[32:21.150 --> 32:27.890]  information, they were asking me a lot, a lot of details, you know, like, send us an email,
[32:30.930 --> 32:38.730]  how many patients in total, how many patients with abortion. So, I had to work for a month.
[32:39.830 --> 32:50.130]  You know, like, sending them evidence. And at some point, they asked me to test the same thing in
[32:50.130 --> 33:00.930]  three different places. So, I needed to ask somebody to allow the journalist inside their
[33:00.930 --> 33:09.430]  offices. So, one of these guys that I asked him, a friend of a friend, he almost, he actually sent
[33:09.430 --> 33:22.940]  an email to their IT department. And he said, okay, I just sent an email to the IT department
[33:22.940 --> 33:34.300]  asking if this is possible. And I said, no, you're destroying this investigation. You're
[33:34.300 --> 33:37.320]  destroying this investigation. And he said that what I wanted to do was basically get into the
[33:37.320 --> 33:45.940]  folders and from another office, they said it was not possible. So, that saved me.
[33:47.900 --> 33:55.020]  But the journalists were very nervous. They even thought about publishing the information that day,
[33:55.020 --> 34:02.220]  the very same day. But this email with this guy is telling us it was not possible to just make
[34:02.220 --> 34:08.720]  things, make things a little more calm. Next one, please.
[34:12.660 --> 34:19.980]  So, how did I get this information? It's very simple. It's sometimes when I started doing
[34:19.980 --> 34:26.740]  hacking or I did some pretty big stuff, for example, in Brazil when I was living,
[34:27.180 --> 34:33.360]  I took control of over 3,000 routers. And it was so simple that I thought it was something that
[34:33.360 --> 34:40.480]  was not worthy, that it was pretty lame, you know? But after that, I learned that it doesn't
[34:40.480 --> 34:47.480]  matter how difficult it was, what is important is what you got out of it, what kind of information
[34:47.480 --> 34:52.920]  you can get. And now that I have more experience, it's like getting into Shodan and you can do a
[34:52.920 --> 35:03.340]  lot of things without knowing anything. Just like running some scripts and,
[35:04.140 --> 35:07.660]  but at the time, I didn't have a lot of experience, so I didn't know.
[35:07.660 --> 35:17.980]  So, next one. I didn't know that doing something that is not technically complex,
[35:18.960 --> 35:28.160]  it's also valuable, you know? So, my approach was to gather everything, you know? Like,
[35:28.160 --> 35:34.620]  every file that was signed, every document. But the thing is that this network was so bad
[35:35.300 --> 35:43.880]  that some nodes, they were giving me 100 kilobytes per second of speed. So, it was like,
[35:43.880 --> 35:52.040]  I couldn't copy a lot of code. It would take me months, right? So, the other thing that I had to
[35:52.040 --> 35:57.620]  manage is that computers, most of those computers, even servers, they were turning off at 6 a.m.
[35:59.200 --> 36:06.940]  So, I only managed to copy 300 gigabytes out of more than a few terabytes of scan.
[36:07.220 --> 36:14.620]  And you're not really scared of copying those files because I was probably sending
[36:14.620 --> 36:23.820]  files to a firewall that somebody is copying or it's used in a unique way.
[36:24.100 --> 36:31.340]  And 24 hours, but then I learned that nobody takes the firewalls.
[36:32.920 --> 36:40.000]  No one really pays attention to them. They just believe that they are not safe.
[36:52.940 --> 37:00.360]  So, after a while, I said I cannot get everything. I needed to just get rid of
[37:00.360 --> 37:06.540]  the things that we have in our brains that sometimes we want to store everything, you know?
[37:07.180 --> 37:14.600]  Simple and have issues, you know? They have information that they're never going to see
[37:14.600 --> 37:19.320]  again. People that buy books and buy books and never read them again.
[37:20.080 --> 37:30.020]  So, I have to, like, I did this only a couple of times. And then, you know,
[37:30.020 --> 37:42.080]  grabbing for terms, keywords, like HIV or, you know, well, there were things to look for.
[37:42.800 --> 37:51.880]  I published my article and I was trying to know that I was going to get fired.
[37:51.880 --> 38:00.160]  So, I didn't want to lose my vacation. So, I mean, we miss everything. Like, in the flight
[38:00.160 --> 38:10.000]  and the articles, people, I know they were all sentences. So, I prefer to be in another country.
[38:10.720 --> 38:21.380]  That way, I will be on the way with a proper structure or idea of what is good.
[38:22.680 --> 38:28.140]  And actually, that's what happened. The first day, the guy called me. He was calling me and
[38:28.140 --> 38:39.980]  she said, you know, since I talk too much, you know, she was always
[38:40.860 --> 38:47.420]  was too impulsive saying that things didn't work or that there were problems with everywhere.
[38:47.420 --> 38:52.460]  That was a head-scratcher. I said, I don't like it. So, probably some
[38:52.460 --> 39:02.700]  and then some journalists and that's what happened. Yeah, yeah, you do speak a lot.
[39:09.060 --> 39:27.100]  So, I could check the privileges they had and just put it on a file and just
[39:27.980 --> 39:35.000]  every time the journalist asked me for anything, I would just add information and then
[39:35.000 --> 39:48.570]  post it. So, now let's get serious. I'm really serious about this.
[39:51.190 --> 39:57.250]  So, this meme was really good. It was displayed after the title, but
[39:57.990 --> 40:05.630]  this is not that bad as when I did this talk in Beijing. Every joke that I made, every meme,
[40:05.630 --> 40:13.670]  there was no response. I did some hearts and claps for me, but it was only one of the worst
[40:13.670 --> 40:34.810]  talks ever I ever given. No response from the public. Examples are this server that I found
[40:35.530 --> 40:49.270]  blog. It was 23,000. And every update, email, phone number, cell phone number.
[40:51.050 --> 40:58.010]  The ID, we have a thing that's good. That is an ID number and with that ID number,
[40:58.010 --> 41:04.010]  you can do pretty much the social security number in the US.
[41:06.250 --> 41:20.580]  Next slide. So, another example is a server protection. Again, you have all the patient
[41:20.580 --> 41:31.340]  data and sensitive information that is protected by the two specific laws.
[41:33.320 --> 41:38.460]  This type of thing doesn't have to be in any way public.
[41:52.230 --> 41:59.770]  Next slide.
[42:00.470 --> 42:34.580]  Did something happen? Okay.
[42:34.740 --> 42:38.580]  Okay. So, I'm gonna look in again.
[43:20.140 --> 43:37.220]  I apologize everybody for interrupting the talk again, but the speaker needs to reenter this
[43:37.220 --> 43:44.020]  space because it is some problem from his end probably or from the Microsoft end,
[43:44.020 --> 43:47.840]  but we had Q4Q from Microsoft in here to reset the space and
[43:49.640 --> 43:53.520]  rectify whatever the issue was and it was earlier, right?
[43:54.580 --> 44:01.540]  But then, we are facing the same issue again. So, I think we have to wait for Philip to get
[44:01.540 --> 44:08.840]  back and continue his speech. So, until then, thanks a lot for your patience again.
[44:22.760 --> 44:28.440]  Okay. So, as soon as he'll be back, you need to continue the slides.
[47:07.680 --> 47:09.620]  Do you want me to send it now?
[47:32.380 --> 47:50.060]  I'm really sorry. I hope we will not face any such issues for the future talks, but
[47:51.600 --> 47:54.580]  like we hackers, we are not a big fan of
[47:55.780 --> 48:02.140]  being on Windows and this is a contradictory statement because we are on a platform that
[48:02.140 --> 48:09.400]  is backed up by Microsoft. But then, hackers love Linux. That is the whole truth, whole
[48:09.400 --> 48:14.980]  and sole truth that we know. So, some of the speakers like Philip himself, he was trying to
[48:14.980 --> 48:21.620]  run Allspace VR on Linux machine that he has. So, I think probably this is one of the issues
[48:21.620 --> 48:28.820]  that he is facing. So, thanks a lot for joining in and please stay for a while because we have
[48:28.820 --> 48:38.520]  another presentation coming up after Philip's. And thank you again.
[52:50.060 --> 52:51.540]  Okay, I'm back.
[53:02.010 --> 53:04.810]  All right, so...
[53:58.880 --> 54:01.480]  Can you hear me now?
[54:02.300 --> 54:07.500]  Can you, if you can still hear me, give me your claps.
[54:09.180 --> 54:13.760]  Okay, great. So,
[54:13.760 --> 54:33.410]  well, it's been very tiring to restore. Let me get my slides here, here, there.
[54:34.390 --> 54:42.230]  So, okay, just kind of trying to finish. I sent the logs that they asked me to.
[54:43.190 --> 54:54.720]  So, we can go to the next slide right here. Next slide, please.
[55:02.980 --> 55:08.120]  And another example of what I found, it's
[55:09.940 --> 55:17.300]  a 35 gigs of monographies, again, with all the patient data splurged on the right.
[55:17.300 --> 55:20.520]  The time is 4 o'clock p.m.
[55:21.540 --> 55:38.100]  Yeah, it was only one server. It's only three servers that I sampled. I was kind of,
[55:38.100 --> 55:42.720]  my computer or my laptop, so I deleted everything.
[55:44.040 --> 55:54.600]  I run, like, three cycles of shaders. So, at the end, I don't have a lot of
[55:54.600 --> 56:00.260]  that information at the time. I just thought it was better to get rid of them.
[56:01.720 --> 56:03.260]  Next one, please.
[56:10.900 --> 56:17.000]  So, again, I'm saying a lot of so's and I try not to.
[56:22.600 --> 56:33.540]  So, I counted doc files, TXT, PDFs, and over 4 million files.
[56:34.090 --> 56:39.500]  But I didn't count all the types. Photographs, for example.
[56:40.460 --> 56:45.180]  ZIP files that had a lot of backups of many servers.
[56:45.640 --> 56:47.840]  Next slide, please.
[56:54.650 --> 56:58.510]  In this slide, you can see, for example, in this image, you can see
[56:58.510 --> 57:08.730]  PILs, the word PILs in Spanish, which is PILDRA, and how many files with the name PILDRA and
[57:08.730 --> 57:17.730]  format, and format, spreadsheet format, and there were 120.
[57:19.190 --> 57:25.550]  And this is the after PIL, or emergency PIL. And if you see the data,
[57:26.690 --> 57:33.230]  if you get inside those files, you can see reasons why they were asking those PILs.
[57:33.230 --> 57:43.790]  Some that were abused. Some people, some girls were raped. You can even see the situations.
[57:49.660 --> 57:52.700]  Okay, next one, please.
[58:06.040 --> 58:08.180]  And next one.
[58:15.060 --> 58:18.860]  And in this, no, the one before.
[58:20.160 --> 58:24.160]  One back, please. Sir.
[58:27.810 --> 58:43.830]  In this one, I was looking for files with the word HIV in Spanish. And I found 772 files.
[58:44.250 --> 58:48.610]  And you can see the file names. I don't know if you can see them. I don't know if you can read
[58:48.610 --> 59:00.850]  them. But believe me, there were IP addresses followed by the name. And then I could retrieve
[59:00.850 --> 59:08.290]  them and send them to the journalist. They were looking for bad stuff. You know, they were just,
[59:08.290 --> 59:14.230]  they were asking me, give me the worst. We want the worst. We want everything that you can give
[59:14.230 --> 59:22.510]  that will be pretty bad regarding to the laws and regarding the public interest.
[59:22.650 --> 59:31.690]  So next one. Next one. I'm about to finish, so be patient. I know it's been long.
[59:32.810 --> 59:43.150]  I'm feeling it. Next one. Let's move in.
[59:44.390 --> 59:53.290]  So, again, what happened? What was their strategy? The reason why they asked me for three places
[59:53.290 --> 01:00:05.510]  is they wanted to be sure that this was a more general problem that they were trying to,
[01:00:05.510 --> 01:00:11.770]  they were trying to find proof that there was a widespread problem, like I said,
[01:00:11.770 --> 01:00:17.530]  because I was sure, you know, I was telling them, I'm sure that this is not a thing about
[01:00:17.530 --> 01:00:24.950]  my computer, it's a network problem. And what they did is that they scheduled a meeting with
[01:00:24.950 --> 01:00:32.510]  this minister, with the health minister of the head of the health department. And they never said
[01:00:32.510 --> 01:00:41.750]  that they were part of this group called CIPER. So they presented themselves as a random guy,
[01:00:42.470 --> 01:00:52.070]  so after a month, I guess, they talked to her, they went to her office, and they asked for her
[01:00:52.070 --> 01:01:01.350]  computer to show her the problem. And from her computer, they managed to download all this
[01:01:01.350 --> 01:01:06.650]  information that I've given them, the IP addresses, they only put the IP address, the folder, and then
[01:01:06.650 --> 01:01:15.510]  you got many, many files with HIV patients. And she was, the journalist told me, she was a white
[01:01:15.510 --> 01:01:25.190]  woman, she was like, she was shocked. Next one, please. And they were pretty badass, you know,
[01:01:25.190 --> 01:01:31.030]  they say, you got 24 hours to fix it. They never said they were from a journalist group.
[01:01:31.350 --> 01:01:36.570]  So at that point, the minister, she didn't know what would happen. She thought it was
[01:01:36.570 --> 01:01:42.990]  just a problem that they needed to fix. So what happened after that is that they published 24 hours
[01:01:42.990 --> 01:01:50.990]  later, all this information that I've given them, and they were, it says in Spanish, and of course
[01:01:50.990 --> 01:02:04.410]  it's in Spanish, right? But it says 100,000 workers could, even companies that were given
[01:02:04.410 --> 01:02:11.530]  services or, let's say, outsourcing companies, they had access to all these files, all these files.
[01:02:12.990 --> 01:02:20.430]  And they put there that they have at least 3 million files that could be, that were unprotected.
[01:02:21.330 --> 01:02:33.750]  Next one, please. You can Google this information. And then all mainstream media
[01:02:33.750 --> 01:02:39.830]  pick up this information, even from other countries. I was checking everything from
[01:02:39.830 --> 01:02:44.730]  Colombia at the time. Even some Colombian newspapers pick up this information.
[01:02:46.370 --> 01:02:52.230]  And friends will tell me that it was all over the TV, all over. And I was receiving that,
[01:02:52.230 --> 01:02:55.370]  some of the people told me that some people wanted to talk to me
[01:02:55.370 --> 01:03:01.530]  at the office, but I was on vacation, so I was free of that. Next one, please.
[01:03:05.980 --> 01:03:13.660]  So this solved the problem in a couple of days. But what they did, they blocked the
[01:03:15.740 --> 01:03:23.580]  files from every institution, right? So you couldn't access share folders from another
[01:03:23.580 --> 01:03:30.400]  institution, but you could still access all the share folders from your, behind your router,
[01:03:30.400 --> 01:03:38.280]  right? I even tried, tested it. So you could access, for example, what it worked,
[01:03:38.280 --> 01:03:46.480]  I could access information from five hospitals, and I could still access a lot of information
[01:03:48.140 --> 01:03:56.520]  that it should have, they should have, you know, like forced everyone to unshare those folders,
[01:03:56.520 --> 01:04:03.660]  because it's, it's, it's against the law to have personal data, sensitive data
[01:04:05.620 --> 01:04:15.680]  exposed, right? But I'm gonna tell you later why this, this fix was enough for them. Next one,
[01:04:15.680 --> 01:04:26.500]  please. The funny thing is, not the funny, but the worst thing is that before doing all this,
[01:04:26.500 --> 01:04:34.180]  the press, we tested that in many places, 100% of the places that we tested,
[01:04:34.600 --> 01:04:41.980]  you only needed to connect to a network cable, and that was it. There were no restrictions,
[01:04:41.980 --> 01:04:50.100]  just connecting to, to any, to any plug, and you will access to the entire network.
[01:04:51.180 --> 01:05:00.380]  So, she was called to, she was called to Congress to give a, an explanation, but she just lied.
[01:05:00.960 --> 01:05:09.180]  And again, she was saving a lot of people's asses. And the good thing, well, the bad thing is that
[01:05:09.780 --> 01:05:16.120]  they created a feeling of panic, you know, nobody wanted to give you any information at all,
[01:05:16.120 --> 01:05:20.280]  not even the one they were required to give you, you know, like, they were like saying,
[01:05:20.280 --> 01:05:25.160]  no, because of what happened, I cannot give you anything, but I'm allowed to have it,
[01:05:25.160 --> 01:05:30.600]  I mean, internally as a, as a part of the same institution. So, it created a panic.
[01:05:30.860 --> 01:05:36.420]  And then, they were not sharing any information, like, like,
[01:05:36.420 --> 01:05:44.640]  it created the opposite effect, you know, like the extreme effect. And for me, it was, it was a good,
[01:05:44.640 --> 01:05:52.420]  what happened afterwards, afterward was good in my, in my, in my job, because I, they gave me,
[01:05:52.420 --> 01:05:59.420]  the director of the institution told me to create a security department specializing on finding
[01:05:59.420 --> 01:06:05.700]  these issues, right? But we were, we were too against the world, you know, we were,
[01:06:05.700 --> 01:06:14.340]  nobody wanted to being told that they had a problem. So, I found, for example, that you could,
[01:06:14.340 --> 01:06:22.660]  they had default password in 5,000 email accounts. And I, I told them, and I did a presentation
[01:06:22.660 --> 01:06:29.500]  explaining them why it was bad. And their answer were, their answer was crazy. They said,
[01:06:29.500 --> 01:06:37.920]  public servants are public, I mean, no, no, it's wrongly proposed, it didn't say correctly.
[01:06:38.700 --> 01:06:42.960]  Since they were public servants, they say that their emails should be public.
[01:06:42.960 --> 01:06:49.480]  So, for them, it was okay that you could look in from the internet, from, not even from the
[01:06:49.480 --> 01:06:54.280]  inside the net, from the internet, you could log in on their accounts and check their email.
[01:06:54.400 --> 01:07:01.840]  And inside those email accounts, they have patient information again. So, at some point,
[01:07:01.840 --> 01:07:07.700]  we're just like, we're not, we're not going anywhere, we're, it's just us against the world.
[01:07:08.260 --> 01:07:09.500]  Next one, please.
[01:07:11.900 --> 01:07:21.400]  So, again, after the government change, after the, this right-wing government that
[01:07:22.600 --> 01:07:29.660]  set foot or created this scenario for demonstration that lasted for five months,
[01:07:29.660 --> 01:07:33.640]  that I told you at the beginning, they fire me on the first day, you know, like,
[01:07:33.640 --> 01:07:39.760]  first hour, they fired, they sent me an email to fire me, but I knew it, they were gonna do it,
[01:07:39.760 --> 01:07:47.380]  so I was, again, on my holidays, I was on vacation. So, that forced them to fire me by email.
[01:07:48.200 --> 01:07:55.740]  But that gave proof and evidence that they fired me with no reason, because they never
[01:07:55.740 --> 01:08:01.060]  gave a reason on the email, because they thought that they were entitled to, but they didn't know
[01:08:01.580 --> 01:08:08.360]  that the law, it's complicated, but they didn't know that the laws changed regarding whether you
[01:08:08.360 --> 01:08:18.920]  can fire without any cause a public employee. So, they fired me, and a lot of projects that I was
[01:08:18.920 --> 01:08:24.920]  in charge of with the UCL, for example, University College of London, and the Job Hopkins, which is
[01:08:24.920 --> 01:08:33.600]  the best university in the world regarding to the health sciences, but I sued them, you know,
[01:08:34.040 --> 01:08:40.540]  I knew before they fired me that I could sue them, I knew exactly what part of the law changed,
[01:08:40.540 --> 01:08:47.460]  the Supreme Court ruled that every public servant, even though they had temporary contracts,
[01:08:47.460 --> 01:08:54.580]  they're allowed to be compensated if they had a permanent role, and I have a permanent role,
[01:08:54.580 --> 01:08:58.400]  so when they fired me, they were just like, ah, nothing's gonna happen, just fire this guy,
[01:08:58.400 --> 01:09:04.960]  and that's it, but then I sued them, and that ended up in the media, they accused me of being
[01:09:05.100 --> 01:09:14.600]  a hacker, that I stole information, that I destroyed servers, and again, it was this lawsuit,
[01:09:14.600 --> 01:09:21.360]  it was just about proving that I worked there or not, not about me, but the China, you know,
[01:09:21.360 --> 01:09:27.100]  assassination of character, and they said I was a bad hacker, that I went to DEF CON,
[01:09:27.100 --> 01:09:35.980]  they even copied the screenshot of the talk that I gave Sky Talks as a proof that I was bad,
[01:09:35.980 --> 01:09:41.120]  even though the talk was after I was fired. Next one, please.
[01:09:44.340 --> 01:09:51.960]  So after that, this government is still in power, right? I've been banned from working with any
[01:09:52.820 --> 01:10:03.180]  government agency, I was about to do a pen test, and in the last day, they said that they lost
[01:10:03.180 --> 01:10:09.580]  their resources, but then a friend of mine told me, and even sent me the WhatsApp conversations,
[01:10:09.580 --> 01:10:15.560]  they told this person that she was going to be fired if she hired me.
[01:10:17.200 --> 01:10:26.960]  So I got very famous at the time, in a bad way, but that didn't stop there. I wanted to know,
[01:10:26.960 --> 01:10:32.620]  because I did a formal investigation of what happened, I went there as a witness and blah,
[01:10:32.620 --> 01:10:42.640]  blah, blah, and I got the investigation report, I got the documents, there were over 1200 pages,
[01:10:42.640 --> 01:10:47.300]  I had to pay $50 for them to give it to me, because they have to print it, and they have to
[01:10:47.300 --> 01:10:52.680]  remove all the sensitive information, which is stupid, because they removed their email addresses
[01:10:52.680 --> 01:11:00.720]  that I could get easily, and I wanted to know what happened. I wanted to know why nobody did
[01:11:00.720 --> 01:11:09.360]  anything, the reasons, or at least I wanted to know, even though I was a witness, or I testified
[01:11:09.360 --> 01:11:16.240]  in a way, they never gave me any feedback. They don't call you and tell you this is what happened,
[01:11:16.240 --> 01:11:21.240]  or no, nothing, and they just tell you to get the information using the proper channels.
[01:11:21.520 --> 01:11:30.400]  So I got this, next slide please, I got this big chunk of paper, you know, it's like
[01:11:33.320 --> 01:11:43.180]  a big pile of papers, next one please. So I started to read them, you know, through every page,
[01:11:43.180 --> 01:11:49.820]  and they have a lot of, a lot of people say that they didn't know me at all. A lot of people
[01:11:49.820 --> 01:11:57.040]  lied, they said they never received an email, never heard about it, that they didn't know
[01:11:57.040 --> 01:12:08.760]  about me. But then they have this part of the document, they say that it was possible to fix it,
[01:12:08.760 --> 01:12:13.420]  but it would have taken a big impact on their operation.
[01:12:14.160 --> 01:12:20.540]  Which was not true, because they fixed it in a day, without any disruption. And then they say
[01:12:20.540 --> 01:12:30.340]  that it's every person's responsibility, and it's a personal issue, which is not true, because
[01:12:30.340 --> 01:12:37.620]  the law entitles every person in charge of sensitive information for patient data
[01:12:37.620 --> 01:12:45.780]  to be responsible for it. And this guy just, you know, it's all about, you know, this typical
[01:12:45.780 --> 01:12:52.440]  thing about working in IT, that everyone blames the user, the same. It's the user's problem,
[01:12:52.440 --> 01:12:58.960]  it's the sharing information, it's their problem. Next one please. So this was the excuse number one.
[01:13:00.860 --> 01:13:09.460]  And then, excuse number two, again, another guy in the top rank of the institution said
[01:13:10.320 --> 01:13:17.340]  that it's, again, the user's responsibility, and it's very complex to identify these folders.
[01:13:17.340 --> 01:13:24.280]  And you remember that the script that I run, it was like five lines, it was really easy to do it.
[01:13:24.280 --> 01:13:30.500]  They had access to everything, all the tools that I didn't have. And the last one, again, 14 says
[01:13:31.640 --> 01:13:35.320]  it's a fault, they're blaming the users, again.
[01:13:39.740 --> 01:13:45.640]  Because I should have informed them, or my boss, which I did.
[01:13:48.040 --> 01:13:53.520]  And again, they didn't know anything about it. Even though I sent many emails, I tried to
[01:13:53.520 --> 01:13:59.620]  reach them in many channels, but nobody wanted to listen. Next one please.
[01:14:04.070 --> 01:14:11.630]  The main reason, and this is like the most incredible thing that I discovered in this
[01:14:13.450 --> 01:14:24.770]  investigation, is the main excuse, even from the minister, is that the ISP provider,
[01:14:24.770 --> 01:14:30.970]  the internet provider, and the email provider, which is the same, they couldn't fix their email
[01:14:30.970 --> 01:14:39.810]  for a year. So the main person, the minister of the health department, didn't have an email
[01:14:39.810 --> 01:14:47.610]  working properly for a year. And that was the excuse. And even this email, it was sent
[01:14:48.330 --> 01:14:56.350]  by the ISP provider, which is a big contract, it's $4 million per month contract they have.
[01:14:56.910 --> 01:15:03.870]  They say, it's correct, her email didn't work for a year. So, next one please.
[01:15:08.180 --> 01:15:14.280]  So the latest update, because this lasted for, this happened two years ago,
[01:15:14.280 --> 01:15:21.560]  and November the 8th, last year, it was the final, the final step, the Supreme Court rule,
[01:15:21.560 --> 01:15:28.720]  my favorite, so they had to pay me $25,000 in compensations, which is not what I wanted,
[01:15:28.720 --> 01:15:38.120]  but it's not that bad. Next one please. But the funny thing is that with that money,
[01:15:38.120 --> 01:15:45.440]  I had to pay the money that I spent going to DEF CON for two years. So I ended up with,
[01:15:45.440 --> 01:15:57.540]  I don't know, like $500. So what can we do to avoid these situations? In my country,
[01:15:58.040 --> 01:16:03.740]  as well as the entire world, we don't have a lot of people knowing that, that are experts in
[01:16:03.740 --> 01:16:10.980]  security. And people hiring, they don't, they don't even know what a computer science degree,
[01:16:10.980 --> 01:16:17.120]  it's different from a, from a, here we have different types, but it's a technical degree,
[01:16:17.120 --> 01:16:20.760]  you know, they don't have any, they don't know the differences. So when they hire someone,
[01:16:20.760 --> 01:16:25.880]  they will ask you, do you know about security? And say, yeah, I did this certification,
[01:16:25.880 --> 01:16:32.640]  okay, so you're, you're ready to help us with this issue. And it's the opposite. So
[01:16:33.260 --> 01:16:40.900]  we need to change our laws. I mean, we have the laws, but they're not enforced, right? The,
[01:16:40.900 --> 01:16:47.040]  and it, and I do, I have this, these topics in my classes that I do in this masters,
[01:16:47.400 --> 01:16:54.900]  that I explained some things that happen in other problems that ended up nowhere. I mean,
[01:16:54.900 --> 01:17:02.480]  the CTO of this health department, he was fined with 10% of his salary for one month.
[01:17:02.480 --> 01:17:11.800]  That was the only punishment. And we need, what I learned is that we need less robsters and more
[01:17:11.800 --> 01:17:17.920]  mentors. And I'm actually mentoring a lot of students, five or six. Well, now it's weird
[01:17:17.920 --> 01:17:24.520]  because of COVID, right? Everything stopped, but we were competing tomorrow, actually,
[01:17:24.520 --> 01:17:31.560]  with four of them in the OSINT Trace Labs CTF. Next one, please.
[01:17:33.800 --> 01:17:42.020]  So which ticket is the last one? Well, me now, a lot of images of me sad or whatever.
[01:17:43.080 --> 01:17:45.960]  Next one. And I think it's the last one.
[01:17:48.300 --> 01:17:56.300]  Well, thank you. It was a long talk, a lot of problems involved. There's a link to the slides.
[01:17:57.360 --> 01:18:04.500]  That's my Twitter account and my LinkedIn account. I hope you liked it. And thank you
[01:18:04.500 --> 01:18:11.300]  to all of the organizers as well. I know that they're working a lot to get this through.
[01:18:12.560 --> 01:18:13.740]  Have a good day.
